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1.  INTRODUCTION  AND  PURPOSE 

1.1  Introduction 

Risk  management  is  a valuable  management  tool  that  increases  the  institution's 
prospects  of  success  through  getting  it  right  the  first  time  and  minimising  negative 
outcomes.  Local  and  international  trends  confirm  that  risk  management  is  a strategic 
imperative  rather  than  an  option  within  high  performing  institutions. 

Risk  management  will  be  of  benefit  to  Midvaal  Local  Municipality  by  underpinning  and 
bolstering  organisational  performance  through: 

(a)  More  efficient,  reliable  and  cost  effective  delivery  of  services; 

(b)  More  reliable  decisions; 

(c)  Innovation; 

(d)  Minimised  waste  and  fraud; 

(e)  Better  value  for  money  through  more  efficient  use  of  resources;  and 

(f)  Improved  project  and  programme  management,  which  provide  better  outputs  and 
outcomes. 

The  following  factors  require  consideration  when  integrating  risk  management  into 
municipal  decision  making  structures: 

(a)  Aligning  risk  management  with  objectives  at  all  levels  of  the  municipality; 

(b)  Introducing  risk  management  components  into  existing  strategic  planning  and 
operational  practices; 

(c)  Communicating  municipal  directions  on  an  acceptable  level  of  risk; 

(d)  Including  risk  management  as  part  of  employees'  performance  appraisals;  and 

(e)  Continuously  improving  control  and  accountability  systems  and  processes  to  take 
into  account  risk  management  and  its  results. 

Risk  management  comprises  of  a Risk  Management  Framework,  a Risk  Management 
Policy,  and  a Risk  Management  Implementation  Plan. 
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1.2  Purpose 

The  purpose  of  this  policy  is  to  provide  the  principals  of  executing  what  is  contained  in 
the  Risk  Management  Framework,  and  thus  flowing  from  this  Framework  as  accepted  by 
the  Midvaal  Local  Municipality.  This  policy  serves  to  formally  set  out  Midvaal  Local 
Municipality's  position  on  risk  management,  and  generally  addresses  what  the 
municipality  will  do  about  risk  management. 
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2.  LEGAL  MANDATE 

2.1  Accounting  Officer 

Section  62  (1)  (c)  (i)  of  the  Municipal  Finance  Management  Act.  Act  56  of  2003,  requires 

that: 

"(1)  The  accounting  officer  of  a municipality  is  responsible  for  managing  the  financial 
administration  of  the  municipality,  and  must  for  this  purpose  take  all  responsible 
steps  to  ensure  - 

(c)  that  the  municipality  has  and  maintains  effective,  efficient  and  transparent 
systems  - 

(i)  of  financial  and  risk  management  and  internal  control. " 

2.2  Management 

The  extension  of  general  responsibilities  in  terms  of  Section  78  of  the  Municipal  Finance 
Management  Act.  Act  56  of  2003,  to  all  senior  managers  and  other  officials  of 
municipalities  implies  that  responsibility  for  risk  management  vests  at  all  levels  of 
management  and  that  it  is  not  limited  to  only  the  accounting  officer  and  internal  audit. 

2.3  Internal  Audit 

Section  165(2)(a),  (b)(iv)  of  the  Municipal  Finance  Management  Act,  Act  56  of  2003 
states  that: 

"(2)  The  Internal  audit  unit  of  a municipality  or  municipal  entity  must  - 

(a)  prepare  a risk  based  audit  plan  and  an  internal  audit  program  for  each  year; 

(b)  advice  the  accounting  officer  and  report  to  the  audit  committee  on  the 
implementation  of  the  internal  audit  plan  and  matters  relating  to  - 

( iv ) risk  and  risk  management.  ” 
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2.4  Audit  Committee 


Section  166(2)(a)(ii)  ot  the  Municipal  Finance  Management  Act.  Act  56  of  2003  states 

that: 


"(2)  An  audit  committee  is  an  independent  advisory  body  which  must  - 

(a)  advise  the  municipal  council , the  political  office-bearers,  the  accounting 
officer  and  the  management  staff  of  the  municipality , or  the  board  of  directors,  the 
accounting  officer  and  management  stall  of  the  municipal  entity,  on  matters  relating 
to- 


risk  management. ' 
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3.  DEFINITIONS 

3.1  Risk 

Risks  are  uncertain  future  events  which  could  impact  the  achievement  of  objectives. 

3.2  Risk  Management 

Risk  management  entails  co-ordinated  activities  to  identify,  assess,  manage  and  monitor 
risks  in  a systematic  and  formalised  manner. 

3.3  Enterprise  Risk  Management 

Enterprise  Risk  Management  is  a broad  based  application  of  risk  management,  in  all 
major  functions  and  activities  of  the  municipality,  rather  than  in  selected  areas,  to 
identify,  assess,  monitor  and  appropriately  mitigate  all  material  risks. 

3.4  Risk  Appetite 

Risk  appetite  is  the  level  of  risk  that  an  organisation  is  prepared  to  accept,  before  action 
is  deemed  necessary  to  reduce  it.  It  represents  a balance  between  the  potential  benefits 
of  innovation  and  the  threats  that  change  inevitably  brings  on. 


4.  ROLES  AND  RESPONSIBILITIES 


The  parties  that  have  a significant  role  to  play  in  the  process  of  risk  management  are  set 
out  below: 
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4.1  Executive  authority  (Council) 

The  executive  authority  should  take  an  interest  in  risk  management  to  the  extent 

necessary  to  obtain  comfort  that  properly  established  and  functioning  systems  of  risk 

management  are  in  place  to  protect  the  municipality  against  significant  risks. 

Responsibilities  of  the  Executive  Authority  include: 

• Ensuring  that  the  institutional  strategies  are  aligned  to  the  Government  mandate; 

• Obtaining  assurance  that  the  municipality's  strategic  choices  were  based  on  a 
rigorous  assessment  of  risk; 

• Obtaining  assurance  from  management  that  key  risks  inherent  in  the  municipality's 
strategies  were  identified  and  assessed  and  are  being  properly  managed; 

• Assisting  the  accounting  officer  to  deal  with  fiscal,  intergovernmental,  political  and 
other  risks  beyond  their  direct  control  and  influence;  and 

• Insisting  on  the  achievement  of  objectives,  effective  performance  management  and 
value  for  money. 

• Approves  the  risk  management  policy,  framework  and  implementation  plan. 

• Approve  the  Fraud  Prevention  Policy,  Strategy  and  Implementation. 

4.2  Accounting  Officer  (Municipal  Manager) 

The  accounting  officer  is  accountable  for  the  municipality's  risks. 

More  specifically,  the  high-level  responsibilities  of  the  accounting  officer  include: 

• Setting  an  appropriate  tone  by  supporting  and  being  seen  to  be  supporting  the 
municipality's  aspirations  for  effective  management  of  risks. 

• Delegating  responsibilities  for  risk  management  to  management  and  internal 
formations  such  as  the  risk  management  committee. 
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• Holding  management  accountable  tor  designing,  implementing,  and  monitoring  and 
integrating  risk  management  into  their  day  to  day  activities. 

• Holding  the  risk  management  committee  accountable  tor  performance  in  terms  of  its 
risk  management  responsibilities. 

• Providing  leadership  and  guidance  to  enable  management  and  the  risk  management 
committee  to  properly  perform  their  functions. 

• Ensuring  the  control  environment  supports  the  effective  functioning  of  risk 
management. 

• Approving  the  municipality's  risk  appetite  and  tolerance  level. 

• Devoting  personal  attention  to  overseeing  the  management  of  significant  risks. 

• Leveraging  the  audit  committee,  internal  audit,  external  audit  and  the  risk 
management  committee  for  assurance  on  the  effectiveness  of  risk  management. 

• Ensuring  that  appropriate  action  in  respect  of  the  recommendations  of  the  audit 
committee,  internal  audit,  external  audit  and  the  risk  management  committee  to 
improve  risk  management. 

• Providing  assurance  to  relevant  stakeholders  that  key  risks  are  properly  identified, 
assessed  and  mitigated. 

4.3  Risk  Management  Committee 

The  risk  management  committee  is  responsible  for  assisting  the  accounting  officer  in 

addressing  the  oversight  requirements  of  risk  management  and  evaluating  and 

monitoring  the  municipality's  performance  with  regards  to  risk  management. 

• Review  the  risk  management  policy,  framework,  risk  management  implementation 
plan  and  recommend  for  approval  by  the  executive  authority. 

• Review  the  fraud  prevention  policy,  strategy  and  implementation  plan  and 
recommend  for  approval  by  the  accounting  officer. 

• Review  the  risk  appetite  and  tolerance  and  recommend  for  approval  by  Council. 
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• Review  the  municipality's  risk  identification  and  assessment  methodologies  to 
evaluate  their  effectiveness  in  timeously  and  accurately  identifying  the 
municipality's  risks. 

• Monitor  and  assess  the  implementation  of  the  risk  management  policy,  framework 
and  implementation  plan. 

• Monitoring  the  reporting  of  risk  by  management  with  particular  emphasis  on 
significant  risks  or  exposures  and  appropriates  of  the  steps  management  has  taken 
to  reduce  the  risks  to  an  acceptable  level. 

• Review  the  material  findings  and  recommendations  by  assurance  providers  on  the 
system  of  risk  management  and  monitor  the  implementation  of  such 
recommendations. 

• Develop  its  own  key  performance  indicators  for  approval  by  the  accounting  officer. 

• Interact  with  audit  committee  to  share  information  relating  to  material  risks  of  the 
municipality. 

• Provide  timely  and  useful  reports  to  the  accounting  officer  on  the  state  of  risk 
management,  together  with  recommendations  to  address  any  deficiencies  identified 
by  the  committee. 

• Reviewing  the  impact  of  any  changes  in  the  municipality  on  the  risk  management 
process  and  response  to  these  changes  including  the  update  of  the  risk  profile. 

4.4  Audit  Committee 

The  audit  committee  is  an  independent  committee  responsible  for  oversight  of  the 

municipality's  control,  governance  and  risk  management.  The  responsibilities  of  the  audit 

committee  should  be  clearly  defined  in  its  charter. 

The  responsibilities  of  the  audit  committee  include: 


The  audit  committee  should  provide  an  independent  and  objective  view  of  the 
Municipality's  risk  management  effectiveness; 
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• Reviewing  and  recommending  disclosures  on  matters  of  risk  and  risk  management 
in  the  annual  report; 

• Providing  feedback  to  the  Executive  Mayor  on  the  adequacy  and  effectiveness  of 
risk  management  in  the  municipality,  including  re-commendations  for  improvement; 

• Ensure  the  acceptability  of  the  risk  profile  in  conjunction  with  the  overall  risk 
appetite  of  the  municipality,  taking  into  account  all  risk  mitigation  factors  including 
but  not  limited  to  internal  controls,  business  continuity  and  disaster  recovery 
planning,  etc. 

• Ensuring  that  the  internal  and  external  audit  plans  are  aligned  to  the  risk  profile  of 
the  Municipality; 

• Satisfying  itself  that  it  has  appropriately  addressed: 

(i)  Financial  reporting  risks,  including  the  risk  of  fraud; 

(ii)  Internal  financial  controls; 

(iii)  IT  risks  as  they  relate  to  financial  reporting. 

• The  audit  committee  should  evaluate  the  effectiveness  of  internal  audit  in  its 
responsibilities  for  risk  management. 

4.5  Chief  Risk  Officer 

The  Chief  Risk  Officer  provides  specialist  expertise  in  providing  a comprehensive  support 

service  to  ensure  systematic,  uniform  and  effective  risk  management  in  the  municipality. 

The  specific  roles  and  responsibilities  include: 

• Working  with  senior  management  to  develop  the  municipality's  vision  for  risk 
management. 

• Developing,  in  consultation  with  management,  the  municipality's  risk  management 
framework,  risk  management  policy,  risk  management  implementation  plan  as  well 
as  risk  appetite  and  tolerance  levels  for  approval  by  Council; 
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Communicating  the  risk  management  policy,  risk  management  framework  and  risk 
management  implementation  plan  to  all  stakeholders  in  the  municipality  and 
monitoring  its  implementation; 

Continuously  driving  the  risk  management  process  towards  higher  levels  of 
maturity; 

Developing  a common  risk  assessment  methodology  that  is  aligned  with  the 
municipality's  objectives  at  strategic,  tactical  and  operational  levels  for  approval  by 
the  Accounting  Authority; 

Assisting  management  with  risk  identification,  assessment  and  the  development  of 
response  strategies; 

Monitoring  the  implementation  of  response  strategies; 

Collating,  aggregating,  interpreting  and  analysing  the  results  of  risk  assessments  to 
extract  risk  intelligence; 

Reporting  risk  intelligence  to  the  accounting  officer,  management  and  the  risk 
management  committee; 

Participating  with  internal  audit,  management  and  the  Auditor  - General  in  the 
development  of  the  assurance  plan; 

Ensuring  effective  information  systems  exist  to  facilitate  overall  risk  management 
improvement  within  the  municipality; 

Continuously  transferring  risk  management  principles  and  practices,  through 
training  interventions,  to  all  stakeholders  within  the  municipality; 

Co-ordinate  reporting  on  actual  non-compliance  incidents  and  losses  incurred; 
Communicates  with  the  audit  committee  and  the  risk  management  committee  on 
the  status  of  risk  management; 

• Providing  input  into  the  development  and  subsequent  review  of  the  fraud  prevention 
strategy,  business  continuity  plans  occupational  health,  safety  and  environmental 
policies  and  practices  and  disaster  management  plans. 


MIDVAAL  LOCAL  MUNICIPALITY 


RISK  MANAGEMENT  POLICY 


4.6  Internal  Audit 

Internal  audit  provides  independent,  objective  assurance  on  the  effectiveness  of  the  risk 
management  process.  The  specific  roles  and  responsibilities  include: 

• Internal  audit  must  evaluate  the  effectiveness  of  the  entire  system  of  risk 
management  and  provide  recommendations  for  improvement  where  necessary; 

• In  terms  of  the  International  Standards  for  the  Professional  Practice  of  Internal  Audit, 
determining  whether  risk  management  processes  are  effective  is  a judgement 
resulting  from  the  internal  auditor's  assessment  that: 

(i)  Municipality  objectives  support  and  align  with  the  municipality's  mission; 

(ii)  Significant  risks  are  identified  and  assessed: 

(iii)  Risk  responses  are  appropriate  to  limit  risk  to  an  acceptable  level;  and 

(iv)  Relevant  risk  information  is  captured  and  communicated  in  a timely  manner 
to  enable  the  accounting  officer,  management  and  the  Risk  Management 
Committee  and  other  officials  to  carry  out  their  responsibilities. 

• Internal  Audit  must  develop  its  internal  audit  plan  on  the  basis  of  the  key  hsk  areas. 

4.7  External  Audit 

The  external  auditor  (Auditor-General)  provides  an  independent  opinion  on  the 
effectiveness  of  risk  management.  In  providing  an  opinion  the  Auditor-General  focuses 
on: 

• Determining  whether  the  risk  management  policy,  framework  and  imple-mentation 
plan  are  in  place  and  appropriate; 

• Assessing  the  implementation  of  the  risk  management  policy,  framework  and  the 
implementation  plan; 

• Reviewing  the  risk  assessment  process  to  determine  if  it  is  sufficiently  robust  to 
facilitate  timely  and  accurate  risk  rating  and  prioritisation;  and 
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• Determining  whether  management  action  plans  to  mitigate  the  key  risks  are 
appropriate  and  are  being  effectively  implemented. 

4.8  Management 

Management  is  accountable  to  the  accounting  officer  for  designing,  implementing  and 
monitoring  risk  management,  and  integrating  it  into  the  day-to-day  activities  of  the 
municipality.  This  needs  to  be  done  in  such  a manner  as  to  ensure  that  risk 
management  becomes  a valuable  strategic  management  tool  for  underpinning  the 
efficacy  of  service  delivery  and  value  for  money. 

High  level  responsibilities  of  management  include: 

• Empowering  officials  to  perform  adequately  in  terms  of  risk  management 
responsibilities  through  proper  communication  of  responsibilities,  comprehensive 
orientation  and  ongoing  opportunities  for  skills  development; 

• Aligning  the  functional  risk  management  methodologies  and  processes  with  the 
Municipality's  processes; 

• Providing  risk  management  reports; 

• Presenting  to  the  risk  management  and  audit  committees  as  requested; 

• Maintaining  the  proper  functioning  of  the  control  environment  within  their  area  of 
responsibility; 

• Holding  officials  accountable  for  their  specific  risk  management  responsibilities; 

• Maintains  a harmonious  working  relationship  with  the  Chief  Risk  Officer  and 
supports  the  Chief  Risk  Officer  in  matters  concerning  the  functions  of  risk 
management; 

• Keeps  key  functional  risks  at  the  forefront  of  the  management  agenda  and  devotes 
personal  attention  in  overseeing  the  management  of  these  risks. 
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4.9  Other  Officials 

All  other  officials  are  responsible  for  integrating  risk  management  into  their  day  to  day 
activities. 

Responsibilities  include: 

• Applying  the  risk  management  processes  to  their  respective  functions: 

• Implementing  the  delegated  action  plans  to  address  the  identified  risks; 

• Informing  their  supervisors  and/  or  the  risk  management  unit  of  new  risks  and 
significant  changes  in  known  risks  and 

• Co-operating  with  other  role  players  in  the  risk  management  process  and  providing 
information  as  required. 

4.10  Risk  Management  Co-ordinators  / Departmental  Risk  Champions 

Risk  management  coordinators  are  drawn  from  the  existing  resources,  from  within  the 
operations  and  functions  of  the  various  business  units. 

Responsibilities  include: 

• Co-ordinate  risk  management  activities  within  functional  areas  in  the  municipality; 

• Assist  in  embedding  risk  management  within  the  municipality; 

• Arrange  and  facilitate  risk  meetings,  presentations  and  workshops  involving  staff 
within  the  functional  area; 

• Providing  risk  management  training  and  development  where  required; 

• Assist  in  collating  and  reporting  on  risk  information; 

• Provide  guidance  on  matters  relating  to  risk  management. 


5. 


RISK  MANAGEMENT  PROCESS 


Components  of  the  Risk  Management  Process 


Objective  setting 

Organisational  context 
Risk  management  context 


r 

Risk  identification 

L 

What  can  happen? 

How  can  it  happen? 

J 

Risk  assessment 

Measuring  likelihood 
Measuring  impact 
Establish  the  level  of  risk 
Assp_ss  risks 


Risk  response 

Identify  treatment  options  (strategy) 
Evaluate  treatment  options 
Implement  recommendations 


A 


w 


Control  activities 


A 


Information'communication 


Monitoring 


r 
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5.1  Internal  Environment 

A municipality’s  internal  environment  is  the  foundation  of  risk  management,  providing 
discipline  and  structure.  The  internal  environment  influences  how  the  strategy  and 
objectives  are  established,  the  municipality's  activities  are  structured,  and  risks  are 
identified,  assessed  and  acted  upon.  It  influences  the  design  and  functioning  of  control 
activities,  information  and  communication  systems,  and  monitoring  activities. 

The  internal  environment  consists  of  ten  different  layers  that  should  all  be  present  and 
functioning: 

1.  Risk  Management  Philosophy 

The  risk  management  philosophy  is  the  set  of  shared  beliefs  and  attitudes  that 
characterise  how  the  municipality  considers  risk  in  everything  it  does  from  strategy 
development  and  implementation  to  its  day-to-day  activities. 

The  overall  risk  philosophy  of  the  municipality  is  to  identify,  assess  and  manage  its 
risks  so  as  to  preserve  its  strategic  objectives  and  create  value  for  all  its 
stakeholders. 

2.  Risk  appetite 

The  risk  appetite  can  be  defined  as  the  amount  of  risk  that  the  municipality  is 
willing  to  accept  in  pursuit  of  its  mission/vision. 

The  risk  appetite  guides  resource  allocation.  The  risk  appetite  enables  an 
improved  consistency  of  decision  making  at  all  levels  through  improving  risk 
understanding  and  also  provides  a framework  for  knowingly  taking  risk  within 
defined  boundaries. 
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The  key  determinants  of  risk  appetite  are  as  follows: 

• Expected  performance; 

• The  capital  needed  to  support  risk  taking; 

• The  culture  of  the  municipality; 

• Management  experience  along  with  risk  and  control  management  skills;  and 

• Longer  term  strategic  priorities. 

3.  Risk  tolerance 

Risk  tolerances  are  the  acceptable  levels  of  variation  relative  to  the  achievement  of 
objectives.  In  setting  risk  tolerances,  management  should  consider  the  relative 
importance  of  the  related  objectives  and  aligns  risk  tolerances  with  risk  appetite. 
Operating  within  risk  tolerances  provides  management  greater  assurance  that  the 
municipality  remains  within  its  risk  appetite  and.  in  turn,  provides  a higher  degree 
of  comfort  that  the  entity  will  achieve  its  objectives/goals. 

4.  Council 

The  municipality's  Council  is  a critical  part  of  the  internal  environment  and 
significantly  influences  other  environmental  elements. 

5.  Integrity  and  Values 

Management  integrity  is  a prerequisite  for  ethical  behaviour  in  all  aspects  of  a 
municipality’s  activities.  The  effectiveness  of  risk  management  cannot  rise  above 
the  integrity  and  ethical  values  of  the  people,  who  create,  administer  and  monitor 
the  municipality’s  activities. 
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6.  Commitment  to  Competence 

Competence  reflects  the  knowledge  and  skills  needed  to  perform  assigned  tasks. 
Management  should  decide  how  well  these  tasks  need  to  be  accomplished 
weighing  the  municipality’s  strategy  and  objectives  against  plans  for  strategy 
implementation  and  the  achievement  of  objectives. 

7.  Organisational  Structure 

The  municipality's  organisational  structure  provides  the  framework  to  plan, 
execute,  control  and  monitor  its  activities.  The  organisational  structure  should  be 
organised  to  enable  effective  risk  management  and  to  carry  out  its  activities  so  as 
to  achieve  its  objectives. 

8.  Authority  and  Responsibility 

This  includes  establishing  the  reporting  relationships  and  authorisation  protocols 
as  well  as  policies  that  describe  appropriate  practices,  knowledge  and  experience 
of  key  personnel  as  well  as  the  resources  for  carrying  out  duties. 

9.  Human  Resource  Policies  and  Procedures 

Human  Resource  Policies  and  Practices  pertaining  to  employing,  orientation, 
training,  evaluating,  counselling,  promoting,  compensating  and  taking  remedial 
actions  send  messages  to  employees  regarding  the  expected  levels  of  integrity, 
ethical  behaviour  and  competence. 
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5.2  Objective  setting 

Objectives  must  exist  before  management  can  identify  events  potentially  affecting  their 
achievement.  The  setting  of  these  objectives  is  usually  completed  during  the  "Strategic 
planning  and  Budgetary  process." 

The  municipality's  objectives  can  be  viewed  in  the  context  of  four  categories: 

• Strategic  - relating  to  high-level  goals,  aligned  with  and  supporting  the  municipality’s 
mission/vision; 

• Operations  - relating  to  effectiveness  and  efficiency  of  the  municipality's  operations, 
including  performance  and  service  delivery  goals.  They  vary  based  on 
management's  choices  about  structure  and  performance; 

• Reporting  - relating  to  the  effectiveness  of  the  municipality's  reporting.  This  include 
external  and  internal  reporting  and  may  involve  financial  or  non-financial  information; 

• Compliance  - relating  to  the  municipality's  compliance  with  applicable  laws  and 
regulations. 

After  having  clearly  documented  and  confirmed  the  municipality's  objectives,  it  is 
necessary  to  identify  all  potential  risks  and  threats  relating  to  processes,  assets  and 
strategy.  These  must  reflect  the  possible  problems  and  situations  that  may  hinder  the 
achievement  of  the  objectives  of  the  municipality. 

5.3  Risk  Identification 

The  Risk  identification  phase  is  a deliberate  and  systematic  effort  to  identify  and 
document  the  municipality’s  key  risks.  The  risk  identification  process  should  cover  all 
risks,  regardless  of  whether  or  not  such  risks  are  within  the  direct  control  of  the 
municipality. 
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Up  to  date  and  relevant  information  is  important  in  identifying  risks.  Risk  identification 
should  be  strengthened  by  supplementing  management's  perceptions  of  risk  with: 

Review  of  external  and  internal  audit  reports; 

Review  of  the  reports  of  MPAC; 

Financial  analysis; 

Historic  data  analyses; 

Actual  loss  of  data; 

Interrogation  of  trends  in  key  performance  indicators; 

Benchmarking  against  peer  groups  or  quasi  peer  groups; 

Market  and  sector  information; 

Scenario  analysis;  and 
Forecasting  and  stress  testing. 

To  ensure  comprehensiveness  of  risk  identification  the  municipality  should  identify  risks 
through  appropriate  processes  of: 

Strategic  risk  identification  - This  means  to  identify  risks  emanating  from  the  choices 
made  by  the  municipality,  specifically  with  regard  to  whether  such  choices  weaken  or 
strengthen  the  municipality's  ability  to  execute  its  constitutional  mandate.  Strategic  risks 
should  be  formally  reviewed  concurrently  with  changes  in  strategy,  or  at  least  once  a 
year  to  consider  new  and  emerging  risks. 

Operational  risk  identification  - This  entails  the  identifying  of  risks  concerned  with  the 
municipality's  operations.  Operational  risk  identification  should  be  repeated  when 
changes  occur  such  as  significant  environmental  or  institutional  changes,  or  at  least  once 
a year,  to  identify  new  and  emerging  risks. 
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Project  risk  identification  - This  means  to  identify  risks  inherent  to  particular  projects. 
Project  risk  should  be  identified  for  all  major  projects,  covering  the  whole  lifecycle.  As  for 
long  term  projects,  the  project  risk  register  should  be  reviewed  at  least  once  a year  to 
identify  new  and  emerging  risks. 

5.4  Risk  assessment 

Risk  assessment  is  a systematic  process  to  quantify  or  qualify  the  level  of  risk  associated 
with  a specific  threat  or  event.  The  main  purpose  of  risk  assessment  is  to  help 
management  prioritise  the  identified  risks.  This  enables  management  to  spend  more 
time,  effort  and  resources  to  manage  risks  of  higher  priority  than  risks  with  lower  priority. 
The  output  of  the  risk  assessment  is  a risk  register  enriched  by  addition  of  ratings  for 
each  risk. 

Risks  should  be  assessed  on  the  basis  of  the  likelihood  of  the  risk  occurring  and  the 
impact  of  its  occurrence  on  the  particular  objective  it  is  likely  to  affect.  The  risk 
assessment  is  performed  using  a 3 step  process,  as  described  in  detail  in  the  Risk 
Management  Framework. 

5.5  Risk  response 

The  purpose  of  risk  response  is  to  develop  strategies  to  reduce  or  eliminate  the  threats 
and  events  that  create  risks.  Risk  response  involves  identifying  and  evaluating  the  range 
of  possible  options  to  address  risks  and  implementing  the  chosen  option. 

Management  should  develop  response  strategies  for  all  material  risks,  prioritising  the 
risks  exceeding  or  nearing  the  risk  appetite  level.  Response  strategies  should  be 
documented  together  with  the  responsibilities  and  timelines. 
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5.6  Control  Activities 

Risk  responses  serve  to  focus  attention  on  control  activities  need  to  help  ensure  that  the 
risk  responses  are  carried  out  properly  and  in  a timely  manner.  Control  activities  are  part 
of  the  process  by  which  a municipality  strives  to  achieve  its  objectives. 

Control  activities  are  the  policies  and  procedures  that  help  ensure  that  management 
responses  are  properly  executed.  They  occur  throughout  the  municipality,  at  all  levels 
and  in  all  functions. 

Management  should  develop  the  internal  control  architecture  through: 

1.  Preventative  controls  to  prevent  errors  or  irregularities  from  occurring  e.g.  physical 
security  of  assets  to  prevent  theft; 

2.  Detective  controls  to  find  errors  or  irregularities  after  they  have  occurred  e.g. 
performance  of  reconciliation  procedure  to  identify  errors;  and 

3.  Corrective  controls  that  operate  together  with  detective  controls  to  correct  errors 
and  irregularities. 

The  internal  control  architecture  should  include: 

1.  Management  controls  to  ensure  that  the  municipality's  structure  and  systems 
support  its  policies,  plans  and  objectives,  and  that  it  operates  within  laws  and 
regulations; 

2.  Administrative  controls  to  ensure  that  policies  and  objectives  are  implemented  in 
an  efficient  and  effective  manner; 
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3.  Accounting  controls  to  ensure  that  resources  are  accounted  for  fully  and 
transparently  and  are  properly  documented;  and 

4.  Information  technology  controls  to  ensure  security,  integrity  and  availability  of 
information. 

5.7  Information  and  Communication 

Properly  and  timeously  communicated  relevant  information  is  essential  to  equip  the 
relevant  officials  to  identify  and  assess  and  respond  to  risks. 

Effective  information  and  communication  is  intended  to  support  enhanced  decision 
making  and  accountability  through: 

• Relevant,  timely,  accurate  and  complete  information; 

• Communicating  responsibilities  and  actions. 

5.8  Monitoring 

Risk  management  should  be  regularly  monitored  - a process  that  assesses  both  the 
presence  and  functioning  of  its  components  and  the  quality  of  their  performance  over 
time.  Monitoring  can  be  done  in  two  ways:  through  ongoing  activities  or  separate 
evaluations.  This  will  ensure  that  risk  management  continues  to  be  applied  at  all  levels 
across  the  municipality. 

Monitoring  activities  should  focus  on: 

• Monitoring  of  risk  action  plans  - Risk  action  plans  need  to  be  monitored  on  an 
ongoing  basis  to  ensure  the  necessary  actions  are  implemented  on  schedule  and 
as  intended. 
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• Monitoring  of  controls  - The  effective  operation  of  existing  controls  as  well  as  their 
cost  effectiveness  needs  to  be  evaluated  regularly.  Evaluations  may  include 
management  reviews,  self  assessment  reviews  and  third  party  reviews  as 
appropriate.  Internal  audit  should  also  perform  periodic  reviews  on  existing  controls 
as  well  as  the  implementation  of  necessary  additional  controls  on  a periodic  basis. 

• Monitoring  of  new  and  emerging  risks  - The  risk  profile  of  any  organisation  will 
change  over  time.  Thus  there  is  a need  to  monitor  and  review  the  risk  profile  of  the 
municipality  to  ensure  that  it  remains  relevant  and  complete.  Changes  in  strategy, 
the  legal  and  regulatory  environment,  restructuring,  loss  of  key  personnel, 
significant  control  deficiencies,  fraud,  and  changes  in  business  objectives  will 
require  an  immediate  review  of  municipal  risk  profiles. 

• Monitoring  of  the  effectiveness  of  the  risk  management  process  - The 

efficiency  of  the  entire  risk  management  process  should  be  monitored  periodically. 
A positive  correlation  should  exist  between  improvements  in  the  system  of  risk 
management  as  well  as  institutional  performance. 

5.9  Incident  Reporting 

Incident  reporting  is  another  means  of  risk  monitoring  and  reviewing  the  effectiveness  of 
controls.  Certain  disciplines  such  as  safety,  health,  environmental  and  quality  may 
already  have  in  place  incident  reporting  systems.  Such  reporting  systems  should  be 
integrated  into  the  broader  risk  management  incident  reporting  systems  in  order  to  avoid 
duplication  of  effort. 
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5.10  Performance  Measurement 

Management's  performance  with  the  processes  of  risk  management  will  be  measured 
and  monitored  through  the  following  performance  management  activities: 

• Monitoring  of  progress  made  by  management  with  the  implementation  of  the  risk 
management  policy; 

• Monitoring  of  loss  and  incident  data; 

• Management’s  progress  made  with  risk  mitigation  action  plans;  and 

• An  annual  quality  assurance  review  of  risk  management  performance. 
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6.  PROCEDURES  FOR  EXCECUTING  RISK  MANAGEMENT 


Procedures  on  how  Midvaal  will  integrate  risk  management  into  operations  and  day-to- 
day  activities,  will  now  be  explained  in  the  same  sequence  as  contained  in  the  How 
diagram  reflected  above  under  the  heading  "Risk  Management  Process". 

6.1  Objective  setting 

The  objective  settings  of  Midvaal  get  set  and  documented  at  Council  and  the  senior 
management  level,  during  the  annual  strategic  planning  programme,  and  furthermore, 
during  the  process  of  the  revision  of  the  Integrated  Development  Plan  (I DP)  & Service 
Delivery  & Budget  Implementation  Plan  (SDBIP)  for  the  financial  year  ahead. 

Legislation  gives  guidance  regarding  the  reporting  expected  from  the  municipality,  and 
thus  there  are  procedures  set  in  place  to  do  the  necessary  reporting  timeously.  This 
furthermore  implies  that  in  terms  of  compliance,  Midvaal  strives  to  be  100  % compliant 
with  laws  and  regulations. 

6.2  Risk  Identification 

The  initial  risk  identification  was  done  based  on  the  goals  and  objectives  as  set  in  the 
current  financial  period’s  IDP  and  the  SDBIP,  taking  into  account  findings  made  in  audit 
reports  from  previous  audits  done  by  external  and  internal  auditors.  These  risks  were 
duly  documented  in  the  Risk  Management  Implementation  Plan. 

Newly  identified  risks  will  be  brought  to  the  attention  of  the  head  of  the  department  where 
the  official  identified  the  risk,  who  then  will  report  this  to  the  last  meeting  of  senior 
management  each  month,  where  risk  management  will  be  as  a standing  matter  on  the 
agenda.  After  this  item  was  addressed  at  the  senior  management  meeting,  it  will  be 
included  in  the  Risk  Management  Plan. 
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As  new  audit  reports  become  available,  it  will  be  scrutinised  and  risks  identified  in  this 
manner,  will  also  be  included  after  being  addressed  by  the  senior  management. 

6.3  Risk  Assessment  and  Risk  Response 

On  the  initial  document  called  Risk  Assessment,  the  various  departments  where  the  risk 
will  have  an  impact,  were  responsible  to  do  the  risk  assessment  as  well  as  provide  the 
Chief  Risk  Officer  with  a risk  response  as  explained  in  detail  in  the  Risk  Management 
Framework.  Guidance  on  this  assessments  and  responses  were  also  given  through 
verbally  in  the  Risk  Management  Meetings  held  with  the  heads  of  department  or  their 
delegates  attending  the  meeting. 

Where  new  risks  emerged  within  a department,  these  will  have  to  be  assessed  and  a risk 
response  provided  by  the  applicable  department  before  it  is  reported  to  and  addressed  at 
the  senior  management  meeting. 

6.4  Control  Activities 

As  mentioned  previously,  control  activities  are  the  policies  and  procedures  that  help 
ensure  that  management  responses  are  properly  executed.  They  occur  throughout  the 
municipality,  at  all  levels  and  in  all  functions. 

There  are  numerous  policies  and  procedures  in  place  in  Midvaal,  of  which  the  utilisation 
are  enforced  for  all  officials  applicable.  These  policies  get  reviewed  on  a regular  basis 
and  amended  if  changes  in  operations  occur. 
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6.5  Information  and  communication 

Officials  already  in  the  employ  of  Midvaal  will  be  subjected  to  annual  comprehensive 
workshops  on  risk  management,  and  each  official's  responsibility  towards  this  matter  will 
be  stressed. 


6.6  Monitoring 

All  affected  departments  must  report  on  a quarterly  basis  on  the  progress  made  on  the 
actions  to  improve  the  management  of  risk,  as  contained  in  the  Risk  Management 
Implementation  Plan.  The  Risk  Management  Officer  will  be  responsible  to  update  the 
Risk  Management  Implementation  Plan  with  the  info  provided.  Midvaal's  Risk 
Management  Committee  will  meet  on  a quarterly  basis,  to  address  the  progress  reported 
by  the  departments,  as  well  as  emerging  new  risks  reported  via  the  senior  management 
meetings.  The  Risk  Management  Committee  will  then  report  to  the  Municipal  Manager  on 
their  assessments,  by  means  of  submitting  their  report  and  minutes  of  the  meeting  held. 
After  this,  the  Municipal  Manager  will  report  to  Council  on  risk  management,  thus  also  on 
a quarterly  basis. 

The  internal  auditors  will  also,  on  quarterly  intervals  conduct  assessments,  which  will 
form  part  of  the  meeting  of  the  Risk  Management  Committee,  as  explained  earlier. 

An  incident  reporting  system  was  implemented  as  part  of  monitoring,  and  all  incidents  will 
be  reported  in  this  register,  including  theft  and  losses.  The  reporting  of  incidents  will  be 
done  in  the  same  manner  that  new  risks  are  treated  i.e.  it  will  be  reported  by  the 
department  where  it  originated,  to  the  senior  management  meeting  via  the  relevant  head 
of  department. 
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These  reports  and  progress  must  be  made  available  to  Gauteng  Treasury,  which  will 
monitor  progress  made  by  Midvaal  by  visiting  the  Risk  Management  Officer  from  time  to 
time. 


6.7  Oversight 

In  terms  of  Section  166  (2)  of  the  Municipal  Finance  Management  Act,  Act  56  of  2003,  a 
Performance  and  Audit  Committee  is  an  independent  advisory  body  which  must  - 

“1.  advise  Ihe  municipal  council,  the  political  office-bearers,  the  accounting  officer  and 
management  staff  of  the  municipality,  or  the  board  of  directors,  the  accounting  officer  and 
the  management  staff  of  the  municipal  entity,  on  matters  relating  to  - 

1. 

2.  risk  management ; 


The  Chief  Financial  Officer  will  provide  feedback  to  the  Performance  & Audit  Committee, 
during  its  quarterly  meetings. 


